malwarewikiaorg-20200223-history
DeathRansom
DeathRansom is a ransomware that runs on Microsoft Windows. It was discovered by GrujaRS. Michael Gillespie discovered a version that did not encrypt any files. It is aimed at English-speaking users. It uses code from Generic malware, DCRTR, GandCrab, ChaCha, and Major. It is believed to have relation with DCRTR and STOP. Starting around November 20th, though, something changed. It has now resolved it's issues and has begun to infect victims and encrypt their data. Payload Transmission DeathRansom is distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, malicious ads, web injects, fake updates, repackaged and infected installers. Infection When DeathRansom is launched, it will attempt to clear shadow volume copies. It uses the following command: vssadmin.exe delete shadows /all /quiet WMIC shadowcopy delete It will then encrypt all files on the victim's computer other than those found whose full pathnames contain the following strings: programdata $recycle.bin program files windows all users appdata read_me.txt autoexec.bat desktop.ini autorun.inf ntuser.dat iconcache.db bootsect.bak boot.ini ntuser.dat.log thumbs.db DeathRansom appends the ".wctc" extension. Therefore, a file titled something like "1.jpg" would appear as "1.jpg.wctc" and so on. The working version does not append an extension to encrypted files and they just retain their original name. The only way to identify that the file is encrypted by DeathRansom is by the ABEFCDAB file marker appended to the end of encrypted files. After this process is complete, a text file - "read_me.txt" is created on the desktop. The text file contains the ransom note. It begins with a warning in all capital letters, stating that this file must not be deleted. It is claimed that, if there are any decryption errors, without this file - the system will be corrupted. The message states that all of the victims' documents, photos, databases and other important files have been encrypted. It proclaims that the only way to decrypt the data is to purchase a decryption tool/software and unique private key (generated individually for each victim) from the developers of DeathRansom. To verify that recovery is possible, users can send one file for free decryption. Victims are alerted that the test file cannot contain any valuable information (judging from other similar infections, it is likely implied that it cannot be a database, backup or large excel sheet). It must be no larger than 1Mb and users are recommended to select pictures, text files or sheets. There are email addresses listed for the purpose of contacting the cyber criminals (and for sending them the test file). While the ransom size is not stated, there are links provided from which Bitcoins can be purchased - suggesting that the payment will have to made in this cryptocurrency. To prevent permanent data damage, victims are told not to rename the encrypted files and/or try decryption with third party software. The ransom note saids the following: --= DEATHRANSOM =--- *******UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED******* *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email death@firemail.cc and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email death@cumallover.me death@firemail.cc Your LOCK-ID: - >>>How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. hxxps://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/ >>> Free decryption as guarantee! Before paying you send us up to 1 file for free decryption. We recommeded to send pictures, text files, sheets, etc. (files no more than 1mb) IN ORDER TO PREVENT DATA DAMAGE: 1. Do not rename encrypted files. 2. Do not try to decrypt your data using third party software, it may cause permanent data loss. 3. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan